Europe Needs to Stop Building Regulatory Moats and Start Building Markets
As geopolitical tensions reshape the technology landscape, Europe is doubling down on regulatory mandates, certification schemes, and the promotion of national champions in an effort to reduce its dependence on foreign cloud and AI infrastructure. While this instinct is understandable, Europe risks solving a geopolitical problem by inflicting an economic one on itself.
The DMA (Digital Markets Act) and DSA (Digital Services Act) came into force in 2022–2023, designed to regulate big tech companies operating in Europe. They represent a major point of transatlantic friction, with the U.S. threatening counter measures. In response, the EU seems to be retrenching still further, and in June 2025, a key European Parliament committee defined tech sovereignty as “the ability to build capacity, resilience and security by reducing strategic dependencies, preventing reliance on foreign actors and single service providers, and safeguarding critical technologies and infrastructure. …” (“European Digital Sovereignty and Digital Infrastructure”; europarl.europa.eu/ doceo/document/A-10-2025-0107_EN.html).
This was followed on Nov. 18, 2025, by the EU Member States signing the Declaration for European Digital Sovereignty in Berlin, defining digital sovereignty as “the EU and its Member States’ ability to act autonomously and to freely choose their own solutions, while reaping the benefits of collaboration with global partners, when possible.” (“Declaration for European Digital Sovereignty”; data.consilium.europa.eu/doc/document/ST-15781-2025-INIT/en/pdf).
Three tiers of sovereignty have emerged in the debate around policy thinking:
a) data sovereignty, or where data resides
b) operational sovereignty, or who controls encryption, patching, and personnel
c) strategic/legal sovereignty, or which jurisdiction’s law governs, and whether foreign governments can compel access.
Early EU policy focused almost entirely on tier a), while the current debate is forcing progress toward the latter points. What seems to be missing from this approach is the realization that true capacity, resilience, and security can only come from competitiveness.
Defining Sovereignty
The concept of sovereignty, which boils down to “who owns and controls the servers,” could be a particularly damaging proposition. Sovereignty is useful if defined as freedom for individuals and organizations to choose or switch providers, negotiate contracts, and compete fairly. True economic resilience can only be achieved through competition and dynamic private markets.
The countries that have achieved genuine digital resilience did so by building competitive markets and world-class infrastructure, not by introducing labyrinths of certifications, protecting favored providers, or creating a maze of mandates, certifications, and committees.
The idea that the government can help create or scale champions by picking winners is also dangerous, as has been proven throughout economic history. Governments usually fail to pick real winners and end up unable to stop subsidizing the “losers” once vested interest groups become strong enough to oppose cuts.
Europe, therefore, risks solving a geopolitical problem by inflicting an economic one on itself. The impulse to reduce dependency on foreign technology may be based on a legitimate concern. However, the policy reflex to do it through mandates, national champions, and regulatory burden is likely to prove self-defeating.
European Regulatory Constraints
European businesses already navigate the AI Act, General Data Protection Regulation (GDPR), the NIS2 directive, the Digital Operations Resilience Act (DORA), the Data Act, and a patchwork of national cloud certification frameworks. Adding a Cloud and AI Development Act, a revised EU Cloud Services (EUCS) scheme, and Buy European procurement preferences on top of these is not a strategy.